CVE-2026-45005

Summary

OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests and invoking configured webhook task flows until gateway or plugin restart.

Affected Software

VendorProductVersion RangeStatus
OpenClawOpenClaw0 < 2026.4.23affected
OpenClawOpenClaw2026.4.23unaffected

Weaknesses

  • CWE-672: Operation on a Resource after Expiration or Release

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References